About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Learning Curve

'Are Macs safe from viruses and hackers?'

A more nuanced and thorough answer.

Buy It

Try It

Keir Thomas led off Friday at Macworld UK with a few pointers on how to make Macs more secure.

'OS X is inherently secure, but there are a handful of steps you can take to tighten things even further', said Thomas.

True enough. And what with limited screen real estate, perhaps Thomas could go no further.

But Rixstep can.

Why Secure?

Thomas jumps right over this one, after proclaiming Macs to be inherently secure. Are they secure? And if yes, then why?

Yes, Macs are secure. And they're inherently secure as well. They're inherently secure because, as pointed out ad infinitum at this site, they have a security model.

Explaining things like this to other 'IT professionals' is difficult enough. Explaining them to people on the street is even more difficult. But the base system of the Mac, FreeBSD, is a Unix system. And Unix was built from the ground up with security in mind.

Security might not have been uppermost in the minds of Ken Thompson and Dennis Ritchie back then, as the threats we see today were unknown back then, but security in terms of common sense when dealing with multi-user environments was certainly a high priority.

Certain builds ('flavours') of Unix - the BSDs, the Linuxes, and so forth - are bound to be more secure than others. The great divide comes instead when comparing all these systems to the market leader: Windows. Unfortunately, that's the system most people are familiar with, and not being computer scientists themselves, they'll have little to go on, and little to use by way of comparison. All computers are like Windows, that's the way computers have always been, and so forth.

But Windows is a hodgepodge of a simple single-user system originally crafted for a 16-bit Intel processor with absolutely no concern at all for security, covered in an inappropriate layer of more 'hi-tech' systemware designed for network file servers (and not for local use). The marriage of these two 'technologies' is so inappropriate that the creator of that 'hi-tech' layer was opposed to its use in that fashion.

Or how's this for security? Old IBM PCs don't require a login password. Users don't have user accounts. There are no users or groups. Files aren't owned by users because there are no accounts. And because no one owns anything, a person with physical access to the system owns everything. No file, system or otherwise, can be protected. Any user, through malevolence or mishap, can tinker with and destroy anything.

Now compare with a Mac. What's the first thing that happens when you take a new Mac out of the box, when the 'welcome' routine begins? You set up your user account. You set up who you will be when using your own computer.

And if you're smart, you'll make sure your account is protected with a password. You can protect everything with that password. You can prevent unauthorised users from waking up your machine and using it - the system can demand your login password to proceed. There's protection built in.

You own the files you create. They're registered in your name. You the owner can determine exactly who gets to do what with your file. This system, known as mandatory access control, is part of Unix but nowhere to be seen in the original PC (or Mac - it's only the 'NeXT' in Mac that's different today).

You might think you're the only user on your Mac, but you'd be wrong. A better way to put this: a secure system requires login accounts, and a secure system requires different login accounts for different tasks and purposes.

You the user may be a so-called 'administrator' (it's your computer, after all) and you may be able in that capacity to assume other privileges on your own machine, but there will be user accounts still and all that can do things you normally cannot.

Windows has some of this today as well. But the problem is that all those security concerns are layered on a fundament that doesn't give a hoot about security. Think 'lipstick on a pig'. Dave Cutler could add his access control lists and user accounts to Windows (he didn't want to, he didn't want to work with personal workstation systems at all) but under the surface, it's still the same old IBM PC. Meant to be standalone. Built on CP/M technology. From the 1970s. Over twenty years before the 'World Wide Web' was invented by Tim Berners-Lee.

Dave Cutler's access control lists - a way of enforcing access control - were meant to be used on file servers, not on people's personal workstations. The complexity doesn't matter on a file server, but the complexity doesn't work well for a personal user.

Under the bonnet, Windows has the same security model as the IBM PC - that's to say, no security model at all. Files have no ownership, and therefore can't be protected. So-called file attributes are limited to harmless things that the user can override at any time without authentication.

Dave Cutler's 'NT' layer helps a bit - but again, it's mostly lipstick on a pig.

So it's not some macabre coincidence that there are millions of strains of Windows malware in the wild, growing more sophisticated (and deadly) by the day, and few if any real strains for any other platform.

Yes, Windows is a broad target (with such a broad demographic) but more importantly - and this is the feeding frenzy of the black hats - it's a fucking easy target.

Clueless Windows apologists have been whinging for years that the only reason they get attacked so much is that so many people are using their platform. That as Unix and Mac systems would grow in popularity, they'd get hit too.

But that hasn't happened. Anyone with a clue about system security knew it wouldn't. Macs grow more popular by the day - who uses a laptop that's not from Apple anymore?

So yes, Macs are secure. Macs are inherently secure.

The Five Tips

Keir Thomas has five 'tips' for making your Mac even more secure. Let's look at them one by one.

1. Turn on your Mac Firewall.

This goes without saying.

What does a firewall do? It limits access to your machine from the world beyond. Can this be crucial? Of course. New holes are found in software all the time. Perhaps a black hat's found a way to creep into your system and exploit just such a hole.

Thomas points out that controlling egress from your Mac is also important. There's always been an excellent product for that purpose - Little Snitch. Little Snitch can control what gets to leave your Mac - as in malware 'phoning home'.

Rixstep's GD will list all your connections in realtime so you can see if funky things are afoot, but with a bit of tweaking, Little Snitch can control them.

2. Gatekeeper.

Gatekeeper is clueless paranoia in the extreme. And it's Phase One of closing the gates to the walled garden forever. (If you can't guess what Phase Two is, look only to the iPhone and the iPad.)

Macs have run securely for over ten years. They're inherently secure, says Keir Thomas. So what do you care where your software comes from? And why should you care if Apple approved your software for your platform?

There's only one reason for something like Gatekeeper. Again: see if you can guess what it is.

[Clue: check this piece from 2009. Ed.]

3. Stear [sic] clear of browser plugins.

This must be news to users of Firefox who have one of the most thriving plugin communities anywhere. You don't have to be a Firefox fan to appreciate what they've done in that community. They've created an entire ecosystem.

Thomas bases this admonition on the threat from Java. Apple don't even ship Java anymore. You have to download it yourself, you fool.

The same holds for Flash. But Flash is more than a security consideration. It's an abomination. It renders media files in software. No one does that anymore.

But Flash contains a lot of insidious privacy violations as well. It has its own cookie system, and it lets providers control who gets to view what and where.

It's no fluke that YouTube have had their HTML 5 beta programme for years now, yet their clips continually demand Flash. It's the content providers demanding it. HTML 5 is an open platform. There's no room there for spying or controlling access.

Just avoid Flash. It melts your mobo and makes you the target for lots of things you wouldn't like.

4. Antivirus software for Mac.

No. Never. Why else have a Mac? Brian Krebs is against it. And there's no better authority anywhere. You don't need it. But guess what? The parasites who've made billions off Windows insecurities are panicking. They see that more and more people are fleeing Windows to Unix and the Mac, and they want to play their 'heroin economics' in those new markets (with you) too.

You don't need AV for the Mac. Most of the products mentioned by Thomas are crap anyway.

5. Keep Java and Flash up to date on your Mac.

No. Don't let Java and Flash onto your Mac in the first place. Apple don't ship new Mac hardware with either of them. You think that's perhaps a good clue?

What's Missing

The Macworld UK piece doesn't touch on much. It only touches the most basic, most apparent things. For the most clueless of users. They're actually a thin demographic. There are namely a lot of things you can do (without additional cost) to make yourself more 'secure' without a lot of effort. Especially in these tough 'NSA' times.

Privacy and security are big buzzwords. And they're connected. In this new era of global Internet surveillance, you have to be careful on all fronts.

1. Cookies.

Cookies are your number one nemesis. Bill Clinton admonished software companies to stop using cookies fifteen years ago. Guess how many companies listened? Surfing to a commonplace news site can result in over one hundred cookies being set on your Mac. One or more cookies from each advertisement on the page.

And who controls cookies today? On a global scale? Right: it's good old DoubleClick. And who owns DoubleClick today? That's your homework assignment. But don't say you were surprised when you find out.

Don't trust your browser to remove all cookies. Safari today is a telling example: that monster (still the best browser for the platform) keeps cookies all over the place. Safari keeps cookies in 'cache', in its own cookies depository, and in 'local storage'. It takes some time to get rid of them all.

Try exiting Safari, then launching again (without a web page) and then see how many cookies still persist. Try removing all cookies, then exiting and relaunching, and see how many cookies are still there!

As for blocking cookies, Safari offers only three options.

  1. From third parties and advertisers
  2. Always
  3. Never

Most people probably opt for option #1 - 'from third parties and advertisers' - but guess what? It doesn't work. Worse still: cookies that begin with a dot ('.') can pertain to any domain, vanity or otherwise, on the same network. Safari never bothered trying to protect you from them.

So what do you do? You stop surfing regularly, close all your tabs, remove all your cookies through your preference pane, exit, relaunch, and remove the cookies again. This should get rid of most of them.

You'll find Safari remnants (cookies) in the following locations.

  • ~/Library/Caches
  • ~/Library/Cookies
  • ~/Library/Safari
  • /var/folders/*/*/*/com.apple.Safari

Construct a good script to get rid of them all.

If you want to clean out the Google Chrome browser (you shouldn't run it) you can use the following script. (Remember that Chrome is insidious in a way Safari will hopefully never be.) Just copypasta the following into a script.

rm -fr ~/Library/Application\ Support/Google/Chrome/Default/Archived\ History ~/Library/Application\ Support/Google/Chrome/Default/Cookies ~/Library/Application\ Support/Google/Chrome/Default/Current* ~/Library/Application\ Support/Google/Chrome/Default/databases/* ~/Library/Application\ Support/Google/Chrome/Default/Favicons ~/Library/Application\ Support/Google/Chrome/Default/Extensions/* ~/Library/Application\ Support/Google/Chrome/Default/History* ~/Library/Application\ Support/Google/Chrome/Default/Last* ~/Library/Application\ Support/Google/Chrome/Default/Local\ Storage/* ~/Library/Application\ Support/Google/Chrome/Default/Login* ~/Library/Application\ Support/Google/Chrome/Default/QuotaManager ~/Library/Application\ Support/Google/Chrome/Default/Top\ Sites ~/Library/Application\ Support/Google/Chrome/Default/User\ StyleSheets/* ~/Library/Application\ Support/Google/Chrome/Default/Visited\ Links ~/Library/Application\ Support/Google/Chrome/Default/Web\ Data ~/Library/Application\ Support/Google/Chrome/chrome_shutdown_ms.txt ~/Library/Application\ Support/Google/Chrome/Local\ State ~/Library/Application\ Support/Google/Chrome/Safe\ Browsing* ~/Library/Application\ Support/Google/Chrome/Service* ~/Library/Application\ Support/Google/Chrome/Temp/* ~/Library/Caches/Google

But again: think twice about running it. It's not really worth it.

And make a habit of stopping whatever you're doing online and cleaning all cookies no matter what.

2. Static IPs.

Why did anyone ever think it was a good idea to have a static IP? No matter. It's a bad idea.

If you've been paying extra for a static IP, stop it now. If your provider insists on your having a static IP, change providers.

Check your IP from time to time. Some providers regularly change them. That's good. If they don't - change it for them. By rebooting your router.

Use this script to check your IP. And make a running note of your most recent IPs. Just copypasta into a script again.

printf 'Gateway: '; netstat -nr | grep default | awk '{print $2}';
printf ' Public: '; curl -s http://checkip.dyndns.org | awk '{print $6}' | awk 'BEGIN {FS="<"}{print $1}'

Yes, you can be identified even with a changing IP. Authorities can request records if they still exist (some providers keep them a few days, some keep them never, no matter what the law says) from your provider and correlate which subscriber had which IP at a given time. But the cookie-crazy spies online can't tell. And they're your most common concern.

3. The Ugly Nine.

The NSA struck deals with (at least) nine of the most pervasive web service providers years ago. Microsoft being the first. (That's no honour.)

Use the following script to see if your favourite (or corporate) webmail provider is working with them. Copypasta as usual. Invoke the script with the name of your mail server.

dig $1 MX | egrep -i 'gmail|google|microsoft'

Then stay away from webmail services at Microsoft, Yahoo, Google. Those services are all under NSA surveillance.

Stay away from Facebook as well. Facebook is perhaps the dumbest place you can be online.

Avoiding the NSA is tricky. There are two ways to go about it. Either put your trust completely in encryption technologies like PGP, or concentrate instead on staying under their radar.

It's not impossible - at least for the NSA - to be able to crack encryption algorithms, seeing as they regularly introduce backdoors and weaknesses into them. 256-bit encryption doesn't mean beans if there's a way to cheat one's way in anyway.

Look at what happened to Skype as an example. Skype offers encryption, but Skype's owner (Microsoft) gave the NSA a backdoor so they can snoop below the encryption level.

Or look at GlimmerGlass. What may have started as an honest endeavour to optimise backbone performance was turned by the NSA into the ultimate snooping technology - picking up 90% of the world's traffic at the endpoints where sea meets land.

Get offshore. Pick a new webmail provider not based in the US. Or North America. Or Sweden. Remember Lavabit. Remember Pamela Jones (who completely shut down her site as well). Choose a provider you think might be safer.

No guarantees here - no one knows. Use encryption at your discretion. Be aware that use of encryption might raise a flag somewhere in the surveillance industry. Hope for the best.

And for goodness sake do not put the words 'president', 'bomb', and 'assassinate' in the same email message.

4. Badware.

There's a certain class of software, not flagged by the App Store, that's not malware per se but isn't 'goodware' either. It's just sloppy software, perhaps buggy software, perhaps even dangerous software. It's badware.

Try enough apps for a long enough time and your system can get screwy. How many times were you asked for your account password when those products wanted to install?

Never give your Mac account password to anyone unless you know why and are satisfied with the explanation.

Apple have a way of installing system updates today that bypasses the need for your account password. Whatever it is, it's a clever hack, but it doesn't make people feel good. Given that something is a bit too clever for its own good there, and given that some black hat may someday figure out how to piggyback onto that system, you definitely have reason to be worried.

For now, you seem to be safe. (Knock on wood.)

But how about when ordinary software titles ask for that account password? Should you give it to them? Most vendors are not trying to harm your computer. But a lot of them are dumb. (Anyone remember the iTunes 2.0 update? The first Safari release?)

As post mortems are probably the only way to protect yourself, you should have good tools to conduct them each and every time you install new software. This is effective, painless, simple, and free. And should take you a long way to where you need to go.

If you can't stop bad stuff from happening until it's too late, at least make sure you can audit your Mac to recover afterwards.

5. Stay off Windows.

There's only one safe way to use Windows: offline.

(Amusingly, that's the only way Windows has ever been tested for security - no external drives allowed either.)

If you have to have a Windows box, then make sure you have an air gap. Do not under any circumstances connect a Windows computer to the Internet.

6. No bonus points for being stupid.

Stupidity should be painful, painted Dali Rău. And most of the time it is. But try to remember there's a bit of a war going on, and you're the good guys.

The bad guys are all the ones associated with Microsoft and the ancillary (parasitic) cottage industries, everything from supercilious 'security' websites to antivirus vendors. They're all waiting for the Big Mac Disaster. They've been waiting over ten years now. Keep them waiting.

A world without Windows is a better world. A safer world. A world where we all benefit. So don't do something stupid.

There've been too many really dumb attempts to bamboozle Mac users. And unfortunately there've been too many users duped by them. These aren't system failures - they're just people being stupid. Don't be stupid.

Been in the market for the Brooklyn Bridge recently? (It's not for sale.) Ever seen The Real Hustle? Remember their message, repeated over and over again? 'If it sounds too good to be true, it probably is.' Got another 419 message? Don't be stupid.

Malware will die as soon as Windows disappears. Count on it. It's just too much work (too high a cost) to attack Unix (Mac) computers. The money behind the malware will go elsewhere. Probably back to street crime. At least the Internet will be safer.

The Mac, as Keir Thomas said, is inherently secure. That doesn't mean it can't be successfully attacked, any more than Fort Knox can be regarded as impregnable if the guards out front are doobits.

But it does mean that you have the law of dwindling returns (and time) on your side.

7. Tor.

Tor is The Onion Router. 'Onion' is an Internet protocol that can be used to transmit (and receive) things online that ordinary browsers can't access. Tor is the browser that makes this possible. It's built atop Firefox.

Tor also 'anonymises' your web access. It's slow. It's slow because your traffic is routed through myriad other connections so the cookie monsters and NSA spies can't see who you are.

WikiLeaks used an advanced version of Tor for their submissions system. This prevented them (or anyone eavesdropping) from knowing who was actually sending stuff.

[They also put real packets with real content in streams with thousands of bogus packets to make things even more difficult. Ed.]

Tor is admittedly slow. It has to be. And some sites - Gmail, Wikipedia, et al - don't like it. But it's one of the safest ways you can surf online. And it's good to have around.

[And try Tails whilst you're at it, for the ultimate in online security: it's a bootable image. You never touch your actual computer. Ed.]

8. Keep your machine clean.

'Clean' means free of junk, cookies, bad software. 'Clean' means keeping control of your Mac. Knowing where things should be and seeing when things start happening that shouldn't happen. (But leave the paranoia for your friends on Windows.)

9. Automate your concerns.

This is a good tool. Use it or use something like it. You don't want to waste your valuable time on security. (Again: leave that for your paranoid Windows friends.)

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.